CVE-2015-3227

The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J	Vendor Advisory
http://openwall.com/lists/oss-security/2015/06/16/16
http://lists.opensuse.org/opensuse-updates/2015-07/msg00050.html
http://www.securityfocus.com/bid/75234
http://www.debian.org/security/2016/dsa-3464
http://www.securitytracker.com/id/1033755

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:opensuse:opensuse:13.2:::::::*
	cpe:2.3:o:opensuse:opensuse:13.1:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:rubyonrails:rails:4.1.6:::::::*
	cpe:2.3:a:rubyonrails:rails:4.1.5:::::::*
	cpe:2.3:a:rubyonrails:rails:4.1.4:::::::*
	cpe:2.3:a:rubyonrails:rails:4.1.3:::::::*
	cpe:2.3:a:rubyonrails:rails:4.1.8:::::::*
	cpe:2.3:a:rubyonrails:rails:4.1.7:::::::*
	cpe:2.3:a:rubyonrails:rails:4.2.0:::::::*
	cpe:2.3:a:rubyonrails:rails:4.2.1:::::::*
	cpe:2.3:a:rubyonrails:rails:4.1.2:::::::*
	cpe:2.3:a:rubyonrails:rails:4.1.1:::::::*
	cpe:2.3:a:rubyonrails:rails:4.1.0:::::::*

Information

Published : 2015-07-26 15:59

Updated : 2019-08-08 08:43

NVD link : CVE-2015-3227

Mitre link : CVE-2015-3227

JSON object : View

CWE

NVD-CWE-noinfo

Advertisement

Products Affected

rubyonrails

rails

opensuse

opensuse

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J", "name": "[rubyonrails-security] 20150616 [CVE-2015-3227] Possible Denial of Service attack in Active Support", "tags": ["Vendor Advisory"], "refsource": "MLIST"}, {"url": "http://openwall.com/lists/oss-security/2015/06/16/16", "name": "[oss-security] 20150616 [CVE-2015-3227] Possible Denial of Service attack in Active Support", "tags": [], "refsource": "MLIST"}, {"url": "http://lists.opensuse.org/opensuse-updates/2015-07/msg00050.html", "name": "openSUSE-SU-2015:1279", "tags": [], "refsource": "SUSE"}, {"url": "http://www.securityfocus.com/bid/75234", "name": "75234", "tags": [], "refsource": "BID"}, {"url": "http://www.debian.org/security/2016/dsa-3464", "name": "DSA-3464", "tags": [], "refsource": "DEBIAN"}, {"url": "http://www.securitytracker.com/id/1033755", "name": "1033755", "tags": [], "refsource": "SECTRACK"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2015-3227", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2015-07-26T22:59Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2019-08-08T15:43Z"}